Krebs on Security

In-depth security news and investigation

Hyatt Card Breach Hit 250 Hotels in 50 Nations

If you stayed, ate or played at a Hyatt hotel between Aug. 13 and Dec. 8, 2015, there’s a good chance your credit or debit card data was stolen by unknown cyber thieves who infiltrated many of the hotel chain’s payment systems. In its first disclosure about the scope of a breach acknowledged last month, Hyatt Hotels Corp. says the intrusion likely affected guests at 250 hotels in roughly 50 countries.

In a statement released Thursday, Hyatt said the majority of the payment systems compromised by card-stealing malware were at restaurants within the hotels, and that a “small percentage of the at-risk cards were used at spas, golf shops, parking and a limited number of front desks.” The list of affected hotels is here.

U.S. banks have been transitioning to offering chip-based credit and debit cards, and a greater number of retailers are installing checkout systems that can read customer card data off the chip. The chip encrypts the card data and makes it much more difficult and expensive for thieves to counterfeit cards.

However, most of these chip cards will still hold customer data in plain text on the card’s magnetic stripe, and U.S. merchants that continue to allow customers to swipe the stripe or who do not have chip card readers in place face shouldering all of the liability for any transactions later determined to be fraudulent.

The United States is the last of the G20 nations to enact this liability shift, and many countries that have transitioned to chip card technology have done so through government fiat. Those nations also almost uniformly have seen card counterfeiting fraud go way down while thieves shift their attention to targeting e-commerce providers.

Although cyber thieves still steal card data off the magnetic stripe from customers of banks in nations that long ago shifted to chip-cards, that card data is typically shipped to thieves here in the United States, who can counterfeit the cards and use them to steal merchandise from U.S.-based big box retailers.

What’s remarkable about the U.S. experiment with moving to chip cards is that the discussion about whether and when to move to more physical security (chips) in credit and debit cards has played out almost entirely apart from the move to impose expensive and increasingly labyrinthine compliance regulations (PCI) on merchants that wish to process or accept card transactions.

Instead of just mandating that banks and retailers shift in lockstep on a to handling chip cards, U.S. lawmakers and regulators have for years delegated (abdicated?) accountability for credit card security to a booming industry of auditors and assessors who’ve been trying to secure a technology (magnetic stripe-based cards) that is 60 years old and is about as secure as mailing your credit card number on a postcard.

For all the attention given to sophisticated new ATM and card skimming devices, for example, the technology included in skimmers to steal card data from the magnetic stripe need be no more sophisticated than the components of a 35-year-old Sony Walkman. I should note here that while the chip-based liability shift for retailers went into effect in October 2015, that same shift doesn’t extend to ATM machines until October 2016 and for unattended payment terminals (e.g. gas pumps) until October 2017.

As chip card adoption picks up here in the States and counterfeiting cards becomes more expensive for cyber thieves, we will start to hear about far fewer of these retail breaches. E-commerce providers will no doubt feel the brunt of this shift because the thieves don’t just go away when you make things harder on them — they go where there are more plentiful victims and fewer up-front costs. And for cybercrooks, there is a great deal of low-hanging fruit in the e-commerce sector (and there are plenty new businesses coming online for the first time every day).

There is another big shift in fraud that’s coming but that is probably not getting enough attention from the banks, retailers and e-commerce providers: It’s a safe bet that we can also expect a giant spike in account takeovers and in new account fraud. Both forms of fraud are closely linked to static consumer identity data (SSN, DOB, etc.) that is widely available in the cybercrime underground. Banks and retailers alike have a lot of work ahead of them to improve the reliability and scalability of systems for authenticating and really knowing their customers.

Instead, many financial institutions have squandered a great deal of their resources trying to figure out which retailers are exposing their customers’ cards. That’s because Visa, MasterCard and the other card associations won’t tell banks which retailers have been hit; they just send them incessant updates about specific card numbers that were suspected to have been compromised in a breach somewhere. It’s then up to the banks to work backwards from the breached cards and triangulate which merchants show up most frequently in a batch of given cards.

All of this probably explains why on any given week I’m contacted by anti-fraud personnel at various banks across the country, asking if I can help them divine the source of some card fraud pain they’re experiencing. As a journalist, this is a bit of a surreal situation, but I can’t complain much: It has allowed this author to break story after story about card breaches in the retail sector over the past two years.

This entry was posted on Friday, January 15th, 2016 at 1:15 pm and is filed under A Little Sunshine, Data Breaches.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

42 comments

One thing I did find interesting about the European usage of the chip card was that I was in Berlin for a week last June for the FIRST Conference and only once the entire trip was my chip card actually used as a chip card and required my PIN, at a Thai restaurant. Everywhere else it was just run as a regular card. What I did find interesting was that there was a large amount of cash only places, mostly bars.

Perhaps the EU has merchant and banking coordination better than the US. Brian’s article points to one factor that could improve the situation – perhaps a data analysis clearing house to post bankers as to who is compromised.

This already exists in several forms today. A centralized clearing house has been discussed… but there are a ton of competing interests on that point – primarily, if everyone ‘knows’ about it, it suddenly places a burden of required action. Then someone has to enforce that. Regulatory schemes take time… are clumsy… and ultimately end up outlasting their usefulness.

In one of these places they once told me that in germany the bank charges you 50 Cents per credit card payment plus a small percentage.
If this is true it is next to impossible to sell a coffee for 1€ if you accept payments per credit card.

When accepting Maestro cards the shop owner or terminal vendor can choose between two models:
– If you want the terminal to ask for a pin you pay something like 29 Cents plus a percentage but the bank will guarantee that if the payment is accepted the shop will get the money.
– If your terminal asks for your signature instead the shop either gets the money – or, if the client has run out of money/has stopped the payment/used a card that wasn’t valid at all, the client’s address so they can ask the client to pay. But you save the 29 Cents.

Given that in germany nearly nobody accepts credit cards (and therefore nearly nobody can be compromised to steal credit card data) what the clerk told me might be true.

There’s a reason for that, it cost money to process the card transaction. I know of few business deals in cash only- no checks or credit card and others you must purchase an amount above the minimum- say $7. I went to NYC three years ago and one of the store around the corner of the hotel I was staying requires you to spend above $7-8 just to use your credit or debit card.

More interesting, two years ago in Canada I had to drive all over trying to find a station that would take my non-chip cards. Almost all had switched and required usage of chip cards. And this is in the middle of nowhere Quebec, not downtown Montreal.

How much could it cost to add a chip reader to every PC? Or as a USB dongle? Then online transactions could be chip enabled at the purchaser’s PC. Proof of transaction instead of credit card data would be sent to vendor.

For phone, if the reader was available, they could give the card number and a 10 character hash of transaction details instead of CVV ro vendor.

With Apple pay and other schemes, the cell phone is practically becoming the next credit card! Sometimes I wonder if the same security can be hard wired into a cell phone and the app that controls it, and can that match the small advantage the chip-n-pin tech supposedly provides.

I’m not much of an advocate for this expensive shift to relatively old tech, when too many weaknesses have been exposed in chip-n-pin. I would think putting something better on a cell phone could speed adoption – I could be wrong – as I don’t know what expense the merchant will have t go through on the POS side of things. It does seems they have already adapted to cell phone instant pay tech like a baby duck to water.

JCitizen: One possible solution is to increase the security of the payment message. This reduces the dependence on the security of the devices and the transmission media. See http://www.NC3.mobi where this has been available for V/MC for years.

While mobile payments are interesting, they haven’t been subjected to the same kind of security analysis and testing. This will all take time to play out. There will be some solutions done well. There are a lot done badly.

Most of the problems with breaches are with general purpose computer systems. PCs running POS. Server based systems are probably less of a problem. Certainly most of the breaches in recent years have been at the POS.

There are hardware based solutions, some even that work with mobile, that keep the data out of the PC, phone, etc. These don’t require chip either.

When the fraudsters find credit cards less interesting they will move to the next thing.

Even the solutions that look good on the surface will likely have weaknesses. It will take time to work through this. But I would expect there will be some mobile solution breaches before all is said and done.

In the Netherlands, the various banks are cooperating in a scheme called iDeal. Vendors demanding payment redirect the customer to an iDeal web page, where you choose your bank. Then you get redirected to your bank’s e-banking site where you do the actual payment (things like the amount and the recipient are already set). The vendor then receives confirmation of payment.

There was something similar to this in elsewhere in Europe, I remember doing this for plane tickets for Ryanair or EasyJet or Wizz… this was several years back. There were a few different systems for this, but in order to pay for your tickets, you needed to log into your bank to authorize the payment, and the online banking was 2 factor. It was 2 factor from the moment you opened the account. That was back in 2010.

In Germany they sell you readers with keyboard and LC screen (so you can control that the amount of money you are paying by entering your pin really is the amount you see on your laptop screen and no key logger can steal your pin) for 30 Euros. But I seem to remember that some of these readers once accepted unencrypted and unsigned firmware updates…
…if you include the reader with the computer, use the computer’s screen and keyboard: How do you hinder people from stealing the pin or altering the transaction?

Perhaps may I tell a story that might answer the question on the infection vector.

I stayed at a place called the Fairhaven Inn in Bellingham, Washington recently. That hotel has a cozy little fireplace room adjacent to the front desk.

I decided to stay up and read late one night in the fireplace room and what did I notice? The desk attendant came to me and told me that he’s closing the lobby and will be available on call if I needed anything and then proceeded to turn the lights down and leave the desk unattended with a note to use the phone if anyone needed anything and then went into a private door off to one side of the lobby.

The desk and the POS device were left unattended. If I was a bad guy, I could have done anything to that POS and no one would have noticed it.

Perhaps is this the infection vector? The lobby help turns in for the night, leaves a note next to the desk phone, and then goes to a private door and leaves the lobby/desk/POS unattended and then someone like me who is staying up late reading in the library decides to want to play wiht the POS????

They got me. Risk management company called me last weekend telling me they put a hold on a charge at the Atlantic Palace Hotel due to it being suspicious. That’s what I get for paying too much for food at Dragon Con.

Question: countries USA Canada UK Australia where more fraud? As UK have verified by visa so in UK it’s impossible to commit any credit card fraud couse chip and verified by visa and secure master code, it’s interesting to know what country is most carders favourite let’s open discussion about this but other hand i think it’s time for chipping people this will be solution for people to loose fraud And idenety theft and chip connected with bitcoin

Every time we read about one of these things at a hotel, the common thread seems to be that the systems at the restaurant are infected, and not so much the front desk (although it sounds like a few front desks also got infected here).

Would it be reasonable to simply charge things to your room while you are at the hotel to avoid handing your credit card to anyone? At the end you have a single transaction at the front desk, and that’s it.

Won’t work. What about those who eat at the restaurant but not stay at the hotel?

Perhaps since the front desk is manned longer hours than the restaurant, could it be that the POS in the restaurant is left unattended for longer hours than the POS in the front desk?

As I guest, I have occasionally wondered around the large hotels that I have stayed in because I could not sleep or I simply wanted to think thing through. I have been able to ‘touch’ unattended POS’s in places in the hotel that were physically accessible from inside the hotel building (since I am a guest, no one challenges me for being in the building during late hours. To keep the rif-raf out, they lock all doors except the main front door after 9 PM.

So, I could have ‘infected’ the restaurant/shop POS’s after about 9 PM while the receptionist is standing at his/her POS at the desk, which is not in line-of-sight of the shops and restaurants that are not unattended.

One can only hope. On the other hand social-hacker Samy has created a device, a little larger than a quarter, that Jedi-Waves the EMV terminal into not needing an EMV chip and then not requiring a swipe either. See http://nc3.mobi/15unk/#20151124

That weakness has been around for years. What other weaknesses exist? We need security in the payment message itself so as not to depend on terminals and transmission media for security. That too has been around for years. Someone tell Ajaypal Banga!

The EMV doesn’t encrypt the data. It presents something that looks like a mag stripe with some variable data in it that allows for cryptographic authentication. If you steal the this data you still get the account, expiry, and possibly the name.

The contactless also does something similar. I believe the data presented must include a dynamic portion (the original spec didn’t require it be dynamic just different).

Basically the data should be worthless by itself unless you can find an ecommerce merchant that doesn’t require the security code off the back of the card. Even then there are controls like address verification that present another challenge.

I’m contacted by anti-fraud personnel at various banks across the country, asking if I can help them divine the source of some card fraud pain they’re experiencing.

Brian,
Even if the person had their card compromised and set out to locate the actual transaction by visiting the retailer and who was using it in order to provide it to the bank. They always say thanks but we’ll just replace your card- this is according to one thread poster on WaPo.

At this point, I am alot more interested in the specific details regarding the payment systems, card readers, and internal networks of the businesses in question. What are the ‘brand names’ of the card readers? What software are these readers running? What are the types of devices/machines running on the same internal networks? What routers are these payment systems running through? Who has direct access to the card readers, networks, and other devices/machines on these networks? What are the common threads with ALL of these breached systems? Are the all using the same antivirus software? Are they all using the same suite of cloud service software? Do they all use the same ISP (within reason)? Do all these companies outsource their IT dept. with the same company/country? Are they all fortune 500 companies? Are they all subsidiaries of some other larger company? Are they all managed by the same people? Do all these companies use the same bank? Do all these companies donate to/affiliate with/capitulate to the same political party?

If merchants don’t use the chip technology aren’t they liable for all losses? It may just be sloppy practices that is costing these businesses and the card companies should make they pay fully for the lack of security. A constant stream of charge backs will get them to get better with the new cards.

When you say “customer data” is in the cards on the mag stripe, some readers may easily misunderstand what that is.

Most of the data is just strings of numbers. The account number, expiry data, with the rest being meaningful only to payment systems. The person’s name from the front of the card is the only thing that is truly customer data. Many payment systems don’t even use that part of the stripe. And while the bank that makes your card has more information on you, that isn’t on the card nor available to someone processing the card.

As long as the customer isn’t liable for fraudulent transactions the presence of the account number shouldn’t be a concern.

1. This is pretty clear with credit cards and mag stripe fraud.
2. Consumers would with debit cards would want to be more sure about liability (it may vary).
3. Consumers will naturally be a bit more cautious with PIN because the transaction is harder to refute.

As with anything new, it takes time for people to adapt.

Having said that these criminal databases of personal information are a huge worry not just to the payments industry but everyone. We collectively need to keep pushing this issue before it gets totally out of control.

quoting Target Chairman, President, and Chief Executive Officer Gregg Steinhafel “Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach.”

Being certified misses the point because the certifications miss the point. Which is why bad things happen even though certs are acquired. Then everyone gets so confused about why things fall through the cracks.

Google claimed it’s browser meets all requirements and standards, and yet few people seem to understand that it is ‘the standards’ of HTML5 that allow the Chrome browser to remotely activate the camera and microphone. NOT a fault or responsibility of Google.

I’m specifically addressing the article’s comment that PCI DSS is “expensive and cumbersome”. These standards, like any other, are expensive only because they call out existing gaps that in theory causes an organization to spend funds not originally earmarked for IT security, and cumbersome only because organizations are bolting-on security, not including good practices from the beginning.

The subsequent reveal that Target was not, in fact, compliant is not a fault of PCI DSS. The fault lies somewhere with Target and their procedures, or with the QSA that informed them their procedures were adequate and functioning. But again, that is not the original point of my comments.

Having worked with many QSA’s, just like anything else, there are good ones, and their are ones that are fresh out of school who attended a PCI training class and where told to go do audits.

PCI is not hard, but when you do not bake security in to start with, you are forced to change so many things to become “compliant” that many businesses chose to “accept the risk”. That is why PCI fails.

Compliance does NOT equal security, but it is a start in the right direction.

Well, since the Hyatt info isn’t really any more detailed than before, I’ve had to go through my records and figure out a) if I stayed at any of the affected hotels during the time period specified (yes, 3 of them, for 5 total stays), b) which credit card I used to pay there (one stay based on points I couldn’t tell since there was no bill online, two others I’ve had to request the folio as they weren’t available online). Now I’ve got to personally call to cancel and reissue these cards. If they’d been more specific about which registers were compromised at which hotels, I could probably avoid all of this, since I only used these for room charges. But they haven’t released that info…

I used to be a service technician for the most popular pos system in hospitality which is call micros 9700. the software has a huge security bug because it keeps credit card data in memory in clear txt. When Oracle bought them instead of fixing this they saw it as an upgrade opportunity. This is when I left the company. Landry’s Hilton Hyatt Starwood Whyndam and many many more of the breaches all have a common vector and its the security problem in micros software. I am surprised it is still pci compliant. I am more surprised they have not been sued.